im trying to reverse one app, and wanted to ask, maybe some one can help with fresh idea, or already know what is used here.
So the case, i have client and server, now i have written mitm app, and i can see the packets.
Tha packets order is
s2c: sending rsa key
c2s: sending some always static data, encrypted with rsa
s2c: sending some response, seems like an packet without body (im here)
c2s: sending data, and here is problem, that this packet is not encrypted as packet 2
c2s: sending response
this is packet header
50 50 00 00 40 00 50 00 00 00 00 00 ... rest is body
lets divide it
50 50 - this is always same
00 00 - this is some packet flag, cause always after packet 3, it becomes x04 00
40 00 - this is length 100%
50 00 - packet code i think
00 00 00 00 - i dont know what i this
body - is not readable, but also is not encrypted with rsa
here is example of stream
**s2c packet 1**
2023/01/24 21:32:56 Received: 176
00000000 *50 50 00 00 a4 00 01 00 00 00 00 00* a2 00 2d 2d |PP............--|
00000010 2d 2d 2d 42 45 47 49 4e 20 52 53 41 20 50 55 42 |---BEGIN RSA PUB|
00000020 4c 49 43 20 4b 45 59 2d 2d 2d 2d 2d 0a 4d 45 63 |LIC KEY-----.MEc|
00000030 43 51 51 43 71 49 4e 36 37 76 45 52 47 37 34 49 |CQQCqIN67vERG74I|
00000040 64 77 38 6d 76 6c 66 6d 45 31 38 31 31 56 74 2b |dw8mvlfmE1811Vt+|
00000050 53 76 66 67 73 36 43 68 59 51 78 4e 5a 52 57 74 |Svfgs6ChYQxNZRWt|
00000060 7a 31 6f 62 50 53 69 34 62 75 78 72 41 0a 5a 6d |z1obPSi4buxrA.Zm|
00000070 6d 77 32 4e 69 38 44 59 74 67 6d 77 54 74 48 51 |mw2Ni8DYtgmwTtHQ|
00000080 66 6b 6d 35 65 59 2f 76 63 54 41 67 49 44 43 51 |fkm5eY/vcTAgIDCQ|
00000090 3d 3d 0a 2d 2d 2d 2d 2d 45 4e 44 20 52 53 41 20 |==.-----END RSA |
000000a0 50 55 42 4c 49 43 20 4b 45 59 2d 2d 2d 2d 2d 0a |PUBLIC KEY-----.|
2023/01/24 21:32:56 RSA Key chaged - here i changed key to my
**c2s packet 2**
2023/01/24 21:32:56 Received: 76
00000000 *50 50 00 00 40 00 50 00 00 00 00 00* 97 4a 85 34 |PP..#.P......J.4|
00000010 e6 e0 f8 56 d6 5b 12 a4 4b 3f e2 f3 c7 b4 a1 fc |...V.[..K?......|
00000020 c7 fe b8 88 bc b7 8b 93 89 c2 7f 02 09 7b 52 4a |.............{RJ|
00000030 23 be a4 47 eb b8 02 f5 0a 62 9a 88 15 13 12 de |#..G.....b......|
00000040 a4 94 2c 3a 0a 34 47 bb 13 6f d4 ae |..,:.4G..o..|
2023/01/24 21:32:56 Header: 76
00000000 *50 50 00 00 40 00 50 00 00 00 00 00* |PP..#.P.....|
2023/01/24 21:32:56 Encoded with my key
00000000 *97 4a 85 34 e6 e0 f8 56 d6 5b 12 a4* 4b 3f e2 f3 |.J.4...V.[..K?..|
00000010 c7 b4 a1 fc c7 fe b8 88 bc b7 8b 93 89 c2 7f 02 |................|
00000020 09 7b 52 4a 23 be a4 47 eb b8 02 f5 0a 62 9a 88 |.{RJ#..G.....b..|
00000030 15 13 12 de a4 94 2c 3a 0a 34 47 bb 13 6f d4 ae |......,:.4G..o..|
2023/01/24 21:32:56 Decoded body
00000000 29 00 00 00 23 48 00 00 be 18 00 00 84 67 00 00 |)...#H.......g..|
2023/01/24 21:32:56 Encoded with original key
00000000 0a cb d2 7f f6 a3 8b 57 2c 6b e8 6d ed f0 c1 36 |.......W,k.m...6|
00000010 e4 c8 00 9d ca 55 41 62 ef 4b 72 91 7c fc 7b 1d |.....UAb.Kr.|.{.|
00000020 e4 5c f0 2b ce 86 01 79 ae b8 13 dd 51 a0 30 c5 |.\.+...y....Q.0.|
00000030 6f 77 fa 11 ed 03 7b 2c 77 7c 5b 7e 61 6f 86 9d |ow....{,w|[~ao..|
**s2c packet 3**
2023/01/24 21:32:56 Received: 12
00000000 *50 50 00 00 00 00 02 00 00 00 00 00* |PP..........|
**c2s packet 4**
2023/01/24 21:32:56 Not decoding next packet
2023/01/24 21:32:56 Received: 174
00000000 *50 50 04 00 a2 00 01 30 00 00 00 00* 00 9f 53 ab |PP.....0......S.|
00000010 c8 58 49 ea 4d fa 18 f4 f1 fc 9a 3c 04 ca 11 94 |.XI.M......<....|
00000020 ab ec ba 1d c6 f0 5d e0 1f d6 87 2d de 0c 97 eb |......]....-....|
00000030 29 b7 d1 dc 48 38 f4 63 74 29 e2 ea 9f 81 a8 59 |)...H8.ct).....Y|
00000040 47 75 32 0d 53 0e 55 3e cd 7b 89 d9 c3 22 d5 39 |Gu2.S.U>.{...".9|
00000050 c4 18 a5 c7 e2 eb 3a 9e 72 13 36 c3 52 f5 e6 7d |......:.r.6.R..}|
00000060 9b bf 37 06 e5 e9 4c 74 ac 85 37 85 94 81 37 67 |..7...Lt..7...7g|
00000070 f9 28 60 c7 0a ca 4c 5a 57 20 d6 ce 7c 91 58 6b |.(`...LZW ..|.Xk|
00000080 56 af 96 a8 e4 b5 8c 19 2e 9a 8c fa a6 c2 08 24 |V..............$|
00000090 ab 97 5d be 74 c2 19 d2 bd f1 93 5f a5 65 c5 7c |..].t......_.e.||
000000a0 fa bb 46 07 80 fd b6 79 5c 19 6f 65 54 35 |..F....y\.oeT5|
**s2c packet 5**
2023/01/24 21:32:56 Received: 174
00000000 *50 50 04 00 a2 00 01 40 00 00 00 00* 00 9e e7 03 |PP.....#........|
00000010 1b aa 67 36 1e 6f 34 20 c3 7c a9 85 93 74 b7 53 |..g6.o4 .|...t.S|
00000020 cc 10 68 90 ec 41 54 68 bb 9e 3d 41 c9 3f db 41 |..h..ATh..=A.?.A|
00000030 09 b9 ae 6a 9b f9 5c 0f 47 c6 4b bd 94 08 20 b0 |...j..\.G.K... .|
00000040 2e f2 6e 40 11 b6 14 8b e0 51 89 db 0c e0 c8 5b |..n#.....Q.....[|
00000050 92 1f a3 08 90 05 5c b5 bb bb 50 c0 3e f6 ee e8 |......\...P.>...|
00000060 63 bd 23 74 53 24 8f a3 0b 4e 72 12 a0 0e ac 96 |c.#tS$...Nr.....|
00000070 03 2c e8 31 6a 34 10 84 63 7a e1 32 42 d3 69 17 |.,.1j4..cz.2B.i.|
00000080 73 df a4 89 35 90 0f 92 06 d7 3b 2e 3c 3d 6e 7e |s...5.....;.<=n~|
00000090 db 73 cb f0 96 95 df 84 af 20 b7 7b 7c 64 61 a9 |.s....... .{|da.|
000000a0 b2 0e 9d 1e bc 57 73 5f f0 bc a5 aa b8 36 |.....Ws_.....6|
Maybe some one can identify protocol by packet header, cause i havent seen something similar before.
Thank you
i know that only packet 2 is encrypted, cause i changed rsa key to my key, and decoded data, its not work with other packets.
I am trying to add an NODE_MCU_V3 to a small BMS system I have running with Raspberry's and a Java library.
The device makes a call to the server, and gets a JSON response. This response is DES encrypted and then Base64 encoded. The sending of the information works fine with encoding, and receiving a response works on smaller responses. But if the JSON is more than 208 characters the decryption fails. I am not that familiar with Arduino and C but would have a guess it has to do with the size.
This is the relevant code. The result is a String taken from the server response.
The result of the Base64 decoder is what is expected, the problem is with the DES decipher. I added examples to the bottom in HEX.
char encoded[result.length()];
result.toCharArray(encoded, result.length());
// Convert back.
int decodedLength = Base64.decodedLength(encoded, sizeof(encoded));
char decodedChar[decodedLength];
Base64.decode(decodedChar, encoded, sizeof(encoded));
Serial.print("Decoded: "); printArray((byte*) decodedChar, sizeof(decodedChar));
byte jsonByte[decodedLength];
for (int i = 0; i < (des.get_size() / 8); i++) {
byte intermitInput[8];
byte intermitResult[8];
for (int j = 0; j < 8; j++) {
intermitInput[j] = (byte) decodedChar[(i * 8) + j];
}
des.decrypt(intermitResult, intermitInput, key);
for (int j = 0; j < 8; j++) {
jsonByte[(i * 8) + j] = intermitResult[j];
}
}
Serial.print("Decrypted: "); printArray(jsonByte, sizeof(jsonByte));
char json[sizeof(jsonByte) + 1];
for (int i = 0; i < sizeof(jsonByte); i++) {
json[i] = (char)jsonByte[i];
}
json[sizeof(jsonByte)] = '\0';
Serial.print("Decripted result:\t");
Serial.println(json);
StaticJsonDocument<256> doc;
DeserializationError error = deserializeJson(doc, json);
// Test if parsing succeeds.
if (error) {
Serial.print(F("deserializeJson() failed."));
return;
}
const char* resultStatus = doc["result"];
if (strstr(resultStatus, "SUCCESS") < 0) {
Serial.print("Problem with the response: "); Serial.println(resultStatus);
return;
}
Serial.print(" Value: "); Serial.println(resultStatus);
Server:
Json - Datalength: 359 - {"result":"SUCCESS","message":"(none)", "actions":[{"action":"initiation","data":[{"type":"IO_CONTROLLER","inputPins":"","outputPinsManual":"","relayDefaultState":"","inputResistance":"","inputPinsManual":"","outputPins":"4"}], "hostname":"AR-259bfc91250", "macAddress":"null"},{"action":"campAlarm","value":"false"},{"action":"warningBeep","value":"false"}]}
Clear JSON HEX: 7b22726573756c74223a2253554343455353222c226d657373616765223a22286e6f6e6529222c2022616374696f6e73223a5b7b22616374696f6e223a22696e6974696174696f6e222c2264617461223a5b7b2274797065223a22494f5f434f4e54524f4c4c4552222c22696e70757450696e73223a22222c226f757470757450696e734d616e75616c223a22222c2272656c617944656661756c745374617465223a22222c22696e707574526573697374616e6365223a22222c22696e70757450696e734d616e75616c223a22222c226f757470757450696e73223a2234227d5d2c2022686f73746e616d65223a2241522d3235396266633931323530222c20226d616341646472657373223a226e756c6c227d2c7b22616374696f6e223a2263616d70416c61726d222c2276616c7565223a2266616c7365227d2c7b22616374696f6e223a227761726e696e6742656570222c2276616c7565223a2266616c7365227d5d7d
Encrypted before Base64: 1e64fd8c074b2eda044f2ed820dab06949e5a2c5602918b13779e906c2733c1719965a456e2127fef0c910cbbbfcd137c535c9423cc14e7e8497de8fd340441f0a48634ccaa6d64e5d23bd2bc4f06d3998adc310f77631d17478f8c85168663e9ecba5551d1bac0c06b26e778a96e4292de903683e4fadeb5c94050f7b30aa1de5a11408a366bef1584115b530ea4b9efffcc0abef06ed6b0baca92b67ef54587eaa0e71976261eacf7942ec2a566d962246ebf7aeacda6d4a6b5246ca2281cf1e6db1af905a5260c74276ba7bcbba00e4ce82abb260f606afee1277f7cbf42ab3cac3cc09c5fb9676c5feb30c47dcd437d64a7886376435eeee517e14673b45ead6ddf30b238e46c53f6bbbedbab1e74ca1fbb5dbac628a12ae007471017d969757d37a2ffa5f992c5ecc9c9fad3f500638b7a135695eba21b54947a3492fdc98b3a2570fbea4bae0d50d426152ee8012779de0f5ba9e96ae15cef583353a3116499bea9e766488
Base64 send: HmT9jAdLLtoETy7YINqwaUnlosVgKRixN3npBsJzPBcZllpFbiEn/vDJEMu7/NE3xTXJQjzBTn6El96P00BEHwpIY0zKptZOXSO9K8TwbTmYrcMQ93Yx0XR4+MhRaGY+nsulVR0brAwGsm53ipbkKS3pA2g+T63rXJQFD3swqh3loRQIo2a+8VhBFbUw6kue//zAq+8G7WsLrKkrZ+9UWH6qDnGXYmHqz3lC7CpWbZYiRuv3rqzabUprUkbKIoHPHm2xr5BaUmDHQna6e8u6AOTOgquyYPYGr+4Sd/fL9CqzysPMCcX7lnbF/rMMR9zUN9ZKeIY3ZDXu7lF+FGc7RerW3fMLI45GxT9ru+26sedMofu126xiihKuAHRxAX2Wl1fTei/6X5ksXsycn60/UAY4t6E1aV66IbVJR6NJL9yYs6JXD76kuuDVDUJhUu6AEned4PW6npauFc71gzU6MRZJm+qedmSI
Arduino:
Base64 coming in: HmT9jAdLLtoETy7YINqwaUnlosVgKRixN3npBsJzPBcZllpFbiEn/vDJEMu7/NE3xTXJQjzBTn6El96P00BEHwpIY0zKptZOXSO9K8TwbTmYrcMQ93Yx0XR4+MhRaGY+nsulVR0brAwGsm53ipbkKS3pA2g+T63rXJQFD3swqh3loRQIo2a+8VhBFbUw6kue//zAq+8G7WsLrKkrZ+9UWH6qDnGXYmHqz3lC7CpWbZYiRuv3rqzabUprUkbKIoHPHm2xr5BaUmDHQna6e8u6AOTOgquyYPYGr+4Sd/fL9CqzysPMCcX7lnbF/rMMR9zUN9ZKeIY3ZDXu7lF+FGc7RerW3fMLI45GxT9ru+26sedMofu126xiihKuAHRxAX2Wl1fTei/6X5ksXsycn60/UAY4t6E1aV66IbVJR6NJL9yYs6JXD76kuuDVDUJhUu6AEned4PW6npauFc71gzU6MRZJm+qedmSI
Base64 Decoded: 1E 64 FD 8C 07 4B 2E DA 04 4F 2E D8 20 DA B0 69 49 E5 A2 C5 60 29 18 B1 37 79 E9 06 C2 73 3C 17 19 96 5A 45 6E 21 27 FE F0 C9 10 CB BB FC D1 37 C5 35 C9 42 3C C1 4E 7E 84 97 DE 8F D3 40 44 1F 0A 48 63 4C CA A6 D6 4E 5D 23 BD 2B C4 F0 6D 39 98 AD C3 10 F7 76 31 D1 74 78 F8 C8 51 68 66 3E 9E CB A5 55 1D 1B AC 0C 06 B2 6E 77 8A 96 E4 29 2D E9 03 68 3E 4F AD EB 5C 94 05 0F 7B 30 AA 1D E5 A1 14 08 A3 66 BE F1 58 41 15 B5 30 EA 4B 9E FF FC C0 AB EF 06 ED 6B 0B AC A9 2B 67 EF 54 58 7E AA 0E 71 97 62 61 EA CF 79 42 EC 2A 56 6D 96 22 46 EB F7 AE AC DA 6D 4A 6B 52 46 CA 22 81 CF 1E 6D B1 AF 90 5A 52 60 C7 42 76 BA 7B CB BA 00 E4 CE 82 AB B2 60 F6 06 AF EE 12 77 F7 CB F4 2A B3 CA C3 CC 09 C5 FB 96 76 C5 FE B3 0C 47 DC D4 37 D6 4A 78 86 37 64 35 EE EE 51 7E 14 67 3B 45 EA D6 DD F3 0B 23 8E 46 C5 3F 6B BB ED BA B1 E7 4C A1 FB B5 DB AC 62 8A 12 AE 00 74 71 01 7D 96 97 57 D3 7A 2F FA 5F 99 2C 5E CC 9C 9F AD 3F 50 06 38 B7 A1 35 69 5E BA 21 B5 49 47 A3 49 2F DC 98 B3 A2 57 0F BE A4 BA E0 D5 0D 42 61 52 EE 80 12 77 9D E0 F5 BA 9E 96 AE 15 CE F5 83 35 3A 31 16 49 9B EA 9E 76 64 7F
Decrypted HEX: 7B 22 72 65 73 75 6C 74 22 3A 22 53 55 43 43 45 53 53 22 2C 22 6D 65 73 73 61 67 65 22 3A 22 28 6E 6F 6E 65 29 22 2C 20 22 61 63 74 69 6F 6E 73 22 3A 5B 7B 22 61 63 74 69 6F 6E 22 3A 22 69 6E 69 74 69 61 74 69 6F 6E 22 2C 22 64 61 74 61 22 3A 5B 7B 22 74 79 70 65 22 3A 22 49 4F 5F 43 4F 4E 54 52 4F 4C 4C 45 52 22 2C 22 69 6E 70 75 74 50 69 6E 73 22 3A 22 22 2C 22 6F 75 74 70 75 74 50 69 6E 73 4D 61 6E 75 61 6C 22 3A 22 22 2C 22 72 65 6C 61 79 44 65 66 61 75 6C 74 53 74 61 74 65 22 3A 22 22 2C 22 69 6E 70 75 74 52 65 73 69 73 74 61 6E 63 65 22 3A 22 22 2C 22 69 6E 70 75 74 50 69 6E 73 4D 61 6E 75 61 6C 22 3A 22 22 2C 42 89 FE 3F 00 00 00 00 0D 0A 00 25 35 78 20 40 42 89 FE 3F D0 00 00 00 20 00 00 00 C7 08 10 40 09 00 00 00 00 00 00 00 F0 A7 C6 4B 0F 00 00 00 54 58 20 40 10 E9 FE 3F 40 89 FE 3F 60 58 20 40 54 58 20 40 10 E9 FE 3F 40 89 FE 3F 21 5B 20 40 C8 FB FF 3F 60 FA FF 3F 10 E9 FE 3F 18 5C 20 40 54 58 20 40 10 E9 FE 3F ED 88 FE 3F 5E 15 20 40 68 01 00 00 10 E9 FE 3F ED 88 FE 3F 21 5B 20 40 10 E9 FE 3F 68 01 00 00 00 00 00 00 B0 FD FF 3F 10 E9 FE 3F 68 01 00 00
Decrypted JSON String: {"result":"SUCCESS","message":"(none)", "actions":[{"action":"initiation","data":[{"type":"IO_CONTROLLER","inputPins":"","outputPinsManual":"","relayDefaultState":"","inputResistance":"","inputPinsManual":"",B⸮⸮?
If you suspect you are running out of memory, You can try to reclaim memory buffers by dual-purposing them. For example, reuse the input buffer that contained the base64 data fto store the decoded json, this will save you at least 208 byes of RAM. It may be enough for your case. All you'd need to do to test this theory is this:
byte* jsonByte = (byte*)encoded; // save decodedLength bytes of RAM
For futher savings, you can also try to decode the base64 in-place, using a single buffer for both input and output. If your base64 decode can't do it (it likely can), then write your own that can, it's definitely feasible for very little pain. This can save you another 208 bytes, which is quite a lot. For testing this, change the declarion of decodedChar to:
char* decodedChar = encoded;
Base64.decodedLength() will always return (result.length() * 5) / 8, which is always smaller than the number of bytes coming in.
Also, there are more potential savings in the decryption. For one, the decryption can be done in_place.
for (int i = 0; i < (des.get_size() / 8); i++) {
byte intermitInput[8];
byte intermitResult[8]; // not needed
for (int j = 0; j < 8; j++) {
intermitInput[j] = (byte) decodedChar[(i * 8) + j];
}
des.decrypt(intermitResult, intermitInput, key);
for (int j = 0; j < 8; j++) {
jsonByte[(i * 8) + j] = intermitResult[j];
}
}
// could be done in-place with no loss of functionality,
// and a noticeable performance gain. Copying data takes
// time, too.
for (int i = 0; i < des.get_size(); i += 8) {
byte intermitInput[8];
for (int j = 0; j < 8; j++) {
intermitInput[j] = (byte) decodedChar[i + j];
}
des.decrypt((byte*)decodedChar + i, intermitInput, key);
}
// result is in array decodedCher. array jsonBytes is not needed anymore.
And here:
// you use 208 bytes of RAM only to add a null terminating character.
// when you coud have simply allocated 1 more byte in jsonByte[], avoided
// this entire loop, and made your function run faster at the same time.
char json[sizeof(jsonByte) + 1];
for (int i = 0; i < sizeof(jsonByte); i++) {
json[i] = (char)jsonByte[i];
}
json[sizeof(jsonByte)] = '\0';
My estimate is that you can reclaim at least 600 bytes of RAM in this function, which would alow you to process larger jsons.
With the details given in your question, it is impossible to give you an estimate of how large a json you'd be able to process.
Also, since your arduino bugs in printArray(), I'd check in there for any less than useful large intermediate arrays. In a print function, any array larger than 16 bytes would already be way too big for the task at hand. Ideally there should be no intermediate array at all in a print function.
To recap: You can and should reorganize your code to use only one array for input, all intermediate results and the final json. RAM resources are very limited on small microprocessors and Arduinos. With use, you will notice that embedded algorithms and libraries, like the DES encryption, are especially built so resource cost is as small as possible.
Another area to explore: Is the json result parsed by the Arduino? If not, the entire sequence could very likely be done 8 bytes at a time, read in a block of 10 bytes, and send the resulting 8 bytes to the Pi as you go, giving you the priceless capability to process jsons of unlimited size, at least on the arduino side of things.
I'm trying to filter duplicated/lost packets from TCP sniffing (using pcap), but I stopped at the understanding of seq/ack. Here are my logs with relative seq/ack:
CLIENT->SERVER/Seq=0;Ack=0/SYN/P.size:0; No data in TCP. Size: 66/66 -> 20 E7 1E 61 15 5B 4E 1D 00 00 00 00 80 02 F7 D3 4D 03 00 00 02 04 05 B4 01 03 03 06 01 01 04 02 | No payload
SERVER->CLIENT/Seq=0;Ack=1/ACK+SYN/P.size:0; No data in TCP. Size: 58/58 -> 1E 61 20 E7 C4 9D 5B 6B 15 5B 4E 1E 60 12 20 00 2D D1 00 00 02 04 05 B4 | No payload
CLIENT->SERVER/Seq=1;Ack=1/ACK/P.size:0; No data in TCP. Size: 54/54 -> 20 E7 1E 61 15 5B 4E 1E C4 9D 5B 6C 50 10 01 6D 64 21 00 00 | No payload
SERVER->CLIENT/Seq=1;Ack=268/ACK/P.size:0; No data in TCP. Size: 54/54 -> 1E 61 20 E7 C4 9D 5B 6C 15 5B 4F 29 50 10 5B 40 09 43 00 00 | No payload
CLIENT->SERVER/Seq=1;Ack=1/ACK+PSH/P.size:267; 20 E7 1E 61 15 5B 4E 1E C4 9D 5B 6C 50 18 01 6D AF 0B 00 00 | 0B 01 00 EA 02 00 00 09 07 54 56 03 09 0B 01 07 02 54 54 56 07 00 02 55 56 00 51 00 53 57 04 07 55 08 54 01 07 01 53 00 56 55 56 01 06 05 04 51 03 08 51 08 51 56 04 54 06 55 08 02 09 51 56 01 53 06 55 04 53 00 56 56 53 01 09 02 09 01 51 54 51 09 55 56 09 03 04 07 05 55 04 06 55 04 06 09 04 51 01 08 08 06 05 52 06 04 01 07 54 03 06 52 55 06 55 55 51 01 02 04 54 03 55 54 01 57 51 55 05 52 05 54 07 51 51 55 07 02 53 53 00 52 05 52 07 01 54 00 03 05 05 08 06 05 05 06 03 00 0D 08 01 07 09 03 51 03 07 53 09 51 06 07 54 0A 50 56 02 52 04 05 55 51 02 53 00 08 54 04 52 56 06 02 09 00 08 03 53 56 01 05 00 55 06 08 56 04 0D 06 07 52 06 07 04 0A 06 01 04 54 04 00 05 02 04 54 00 09 52 53 05 04 01 04 05 05 01 52 51 52 0D 06 51 08 09 54 53 00 0D 01 02 03 54 53 01 05 03 08 56 54 07 02 54 0B 06 DC 4F 61 4F
CLIENT->SERVER/Seq=267;Ack=1/ACK/P.size:0; No data in TCP. Size: 54/54 -> 20 E7 1E 61 15 5B 4F 28 C4 9D 5B 6C 50 10 01 6D 63 17 00 00 | No payload
SERVER->CLIENT/Seq=1;Ack=268/ACK+PSH/P.size:20; 1E 61 20 E7 C4 9D 5B 6C 15 5B 4F 29 50 18 5B 40 3A C6 00 00 | 14 00 00 01 E0 41 9A F0 98 F5 A4 37 01 00 00 00 01 00 00 00
CLIENT->SERVER/Seq=268;Ack=21/ACK/P.size:0; No data in TCP. Size: 54/54 -> 20 E7 1E 61 15 5B 4F 29 C4 9D 5B 80 50 10 01 6D 63 02 00 00 | No payload
SERVER->CLIENT/Seq=21;Ack=305/ACK/P.size:0; No data in TCP. Size: 54/54 -> 1E 61 20 E7 C4 9D 5B 80 15 5B 4F 4E 50 10 5B 40 09 0A 00 00 | No payload
CLIENT->SERVER/Seq=268;Ack=21/ACK+PSH/P.size:37; 20 E7 1E 61 15 5B 4F 29 C4 9D 5B 80 50 18 01 84 6B AF 00 00 | 25 00 32 DF 4C C6 2A 51 18 85 82 AC 27 D8 7A 06 44 DF F7 27 BD FC 59 43 3B E7 19 53 33 37 78 7B 93 81 38 51 CB
CLIENT->SERVER/Seq=304;Ack=21/ACK/P.size:0; No data in TCP. Size: 54/54 -> 20 E7 1E 61 15 5B 4F 4D C4 9D 5B 80 50 10 01 84 62 C7 00 00 | No payload
SERVER->CLIENT/Seq=21;Ack=305/ACK+PSH/P.size:328; 1E 61 20 E7 C4 9D 5B 80 15 5B 4F 4E 50 18 5B 40 AD 89 00 00 | 48 01 F3 B3 29 D9 41 E1 45 1B D3 98 0B 6E CF CC FD 18 F8 B9 23 3B 66 93 37 62 AA E9 7A 43 E2 B9 88 1F FF 77 80 70 E8 1D B9 8E 46 61 F2 F3 52 3E 0F 98 78 3B A1 51 C9 1E BA 8D 45 63 F0 F1 50 F9 F1 67 87 9E 3A C8 50 9D CB 03 34 63 CD C6 B0 FF 7A 4D ED 9F 36 F5 5E 98 43 FC 74 5A 8D 9E 3F 07 BC 10 F3 B2 28 D8 40 81 25 12 DA FD 6E 6F CE A2 93 04 E4 A5 3F CF 57 A2 06 31 F9 DE 4D 4C ED 81 B0 27 C7 86 1C EC 74 81 25 12 DA FD 6E 6F CE A2 93 04 E4 A5 3F CF 57 A2 06 31 F9 DE 4D 4C ED 81 B0 27 C7 86 1C EC 74 81 25 12 DA FD 6E 6F CE A2 93 04 E4 A5 3F CF 57 33 86 71 B9 8A 17 C7 66 1E 21 67 87 7A 95 B4 2C D9 7D 4A 82 A5 36 37 96 8B DB 85 65 24 BE 4E D6 23 87 B0 78 5F CC CD 6C 00 31 A6 46 07 9D 6D F5 00 A4 93 5B 7C EF EE 4F 23 12 85 65 24 BE 4E D6 23 87 B0 78 3F AE AF 0E 5E 6F F8 18 65 FF 0F 97 22 86 B1 79 5E CD CC 6D 01 30 A7 47 F3 76 86 1E EB 4F 78 B0 93 00 01 A0 CC FD 6A 8A C9 53 A3 3B B...
CLIENT->SERVER/Seq=305;Ack=349/ACK/P.size:0; No data in TCP. Size: 54/54 -> 20 E7 1E 61 15 5B 4F 4E C4 9D 5C C8 50 10 01 84 61 7E 00 00 | No payload
CLIENT->SERVER/Seq=305;Ack=349/ACK/P.size:0; No data in TCP. Size: 54/54 -> 20 E7 1E 61 15 5B 4F 4E C4 9D 5C C8 50 10 01 9B 61 67 00 00 | No payload
CLIENT->SERVER/Seq=304;Ack=349/ACK/P.size:0; No data in TCP. Size: 54/54 -> 20 E7 1E 61 15 5B 4F 4D C4 9D 5C C8 50 10 01 B2 61 51 00 00 | No payload
SERVER->CLIENT/Seq=349;Ack=305/ACK+PSH/P.size:7; 1E 61 20 E7 C4 9D 5C C8 15 5B 4F 4E 50 18 5B 40 05 3F 00 00 | 07 00 67 24 BE 4E D6
On the line 5
SERVER->CLIENT/Seq=1;Ack=268/ACK/P.size:0; No data in TCP. Size: 54/54 -> 1E 61 20 E7 C4 9D 5B 6C 15 5B 4F 29 50 10 5B 40 09 43 00 00 | No payload
server sends ACK with 268, while client sends those 267-length size data only on the next line. Why order is broken here??
As I understand, fisrt client should send seq1/ack1/L=267, and then server should resp with seq1/Ack268.
Or does it mean, that I have to implement whole logic for packet exchange in TCP protocol (including selective ACKs?)
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about programming within the scope defined in the help center.
Closed 9 years ago.
Improve this question
I'm analyzing a TCPdump file with Wireshark. Within the connection traces, I saw "brvread" port 1054 as both source and destination ports. When I searched it in the Internet, the only thing I found out was that it may be an indication of an attack or vulnerability. But apart from that I could not find any other information about what brvread is. Does anybody have any idea about it?
The package looks like this (Data from Angelo Neuschitzer):
# Time Source Target Protoco Length Info
1 0.000000000 192.168.2.107 239.255.255.250 UDP 1310 Source port: brvread Destination port: us-cli
Content:
NOTIFY * HTTP/1.1
x-type: localDvr
x-filter: 5107dcd0-aed6-4f2a-aa93-b5fea9caffec
x-lastUserActivity: 12/23/2013 10:03:29 AM
x-location: http://192.168.2.107:8080/dvrfs/info.xml
x-device: 3244238e-0e41-4f90-ae8a-35b8c84a11a2
x-debug: http://192.168.2.107:8080
<node count='961525'>
<activities>
<p15n stamp='08CF44F5A880AA10ECE09BE967E7'/>
<schedver dver='3' ver='600' pendcap='False' />
<x/>
<recreq src='udp://239.35.20.43:10000:79b02293-93df-46f1-976d-c651c578fed7?r=3537009&p=1&ssrc0=514095545&r0=3537009&ch=11&profile=multicastICC&forceDetune=true&age=-1&skip=0' st='0x0' et='0xFFFFFFFFFFFFFFFF' postpad='0' rate='3537009' pri='1'/>
<recordver ver='1' verid='0' size='137438953472' free='136834973696' />
<x/>
<tune src='udp://239.35.20.43:10000:79b02293-93df-46f1-976d-c651c578fed7' pipe='FULLSCREEN' ct='0xd6628ecdc4833e0d' pil='0x0' rate='0x35f871' stopped='false'/>
<tune src='udp://239.35.20.43:10000:79b02293-93df-46f1-976d-c651c578fed7' rate='0x35f871' pil='0x0'/>
<record url='http://192.168.2.107:8080/dvrfs/v17' src='udp://239.35.20.43:10000:79b02293-93df-46f1-976d-c651c578fed7' pri='1' st='0xd66288ea884a134e' et='0xd6628eced30f4a81' stopped='false'/>
</activities>
</node>
(Indentation manually, there are no newlines etc. in package)
Following is a dump from wireshark:
0000 01 00 5e 7f ff fa 00 23 a3 97 87 d1 08 00 45 60 ..^....#......E`
0010 05 10 12 4d 00 00 01 11 ef 22 c0 a8 02 6b ef ff ...M....."...k..
0020 ff fa 04 1e 1f 92 04 fc 98 bd 02 57 9c 74 3e 4c ...........W.t>L
0030 ad cc 43 83 bb 3c a2 de 24 9c 64 00 21 00 10 00 ..C..<..$.d.!...
0040 31 04 c3 d6 62 8e d5 8a 16 3f dd 7d 1a a7 28 ac 1...b....?.}..(.
0050 4c 21 c7 d1 24 5f a6 55 a6 5b e5 4e 4f 54 49 46 L!..$_.U.[.NOTIF
0060 59 20 2a 20 48 54 54 50 2f 31 2e 31 0d 0a 78 2d Y * HTTP/1.1..x-
0070 74 79 70 65 3a 20 6c 6f 63 61 6c 44 76 72 0d 0a type: localDvr..
0080 78 2d 66 69 6c 74 65 72 3a 20 35 31 30 37 64 63 x-filter: 5107dc
0090 64 30 2d 61 65 64 36 2d 34 66 32 61 2d 61 61 39 d0-aed6-4f2a-aa9
00a0 33 2d 62 35 66 65 61 39 63 61 66 66 65 63 0d 0a 3-b5fea9caffec..
00b0 78 2d 6c 61 73 74 55 73 65 72 41 63 74 69 76 69 x-lastUserActivi
00c0 74 79 3a 20 31 32 2f 32 33 2f 32 30 31 33 20 31 ty: 12/23/2013 1
00d0 30 3a 30 33 3a 32 39 20 41 4d 0d 0a 78 2d 6c 6f 0:03:29 AM..x-lo
00e0 63 61 74 69 6f 6e 3a 20 68 74 74 70 3a 2f 2f 31 cation: http://1
00f0 39 32 2e 31 36 38 2e 32 2e 31 30 37 3a 38 30 38 92.168.2.107:808
0100 30 2f 64 76 72 66 73 2f 69 6e 66 6f 2e 78 6d 6c 0/dvrfs/info.xml
0110 0d 0a 78 2d 64 65 76 69 63 65 3a 20 33 32 34 34 ..x-device: 3244
0120 32 33 38 65 2d 30 65 34 31 2d 34 66 39 30 2d 61 238e-0e41-4f90-a
0130 65 38 61 2d 33 35 62 38 63 38 34 61 31 31 61 32 e8a-35b8c84a11a2
0140 0d 0a 78 2d 64 65 62 75 67 3a 20 68 74 74 70 3a ..x-debug: http:
0150 2f 2f 31 39 32 2e 31 36 38 2e 32 2e 31 30 37 3a //192.168.2.107:
0160 38 30 38 30 0d 0a 0d 0a 3c 6e 6f 64 65 20 63 6f 8080....<node co
0170 75 6e 74 3d 27 39 36 31 35 32 35 27 3e 3c 61 63 unt='961525'><ac
0180 74 69 76 69 74 69 65 73 3e 3c 70 31 35 6e 20 73 tivities><p15n s
0190 74 61 6d 70 3d 27 30 38 43 46 34 34 46 35 41 38 tamp='08CF44F5A8
01a0 38 30 41 41 31 30 45 43 45 30 39 42 45 39 36 37 80AA10ECE09BE967
01b0 45 37 27 2f 3e 3c 73 63 68 65 64 76 65 72 20 64 E7'/><schedver d
01c0 76 65 72 3d 27 33 27 20 76 65 72 3d 27 36 30 30 ver='3' ver='600
01d0 27 20 70 65 6e 64 63 61 70 3d 27 46 61 6c 73 65 ' pendcap='False
01e0 27 20 2f 3e 3c 78 2f 3e 3c 72 65 63 72 65 71 20 ' /><x/><recreq
01f0 73 72 63 3d 27 75 64 70 3a 2f 2f 32 33 39 2e 33 src='udp://239.3
0200 35 2e 32 30 2e 34 33 3a 31 30 30 30 30 3a 37 39 5.20.43:10000:79
0210 62 30 32 32 39 33 2d 39 33 64 66 2d 34 36 66 31 b02293-93df-46f1
0220 2d 39 37 36 64 2d 63 36 35 31 63 35 37 38 66 65 -976d-c651c578fe
0230 64 37 3f 72 3d 33 35 33 37 30 30 39 26 61 6d 70 d7?r=3537009&
0240 3b 70 3d 31 26 61 6d 70 3b 73 73 72 63 30 3d 35 ;p=1&ssrc0=5
0250 31 34 30 39 35 35 34 35 26 61 6d 70 3b 72 30 3d 14095545&r0=
0260 33 35 33 37 30 30 39 26 61 6d 70 3b 63 68 3d 31 3537009&ch=1
0270 31 26 61 6d 70 3b 70 72 6f 66 69 6c 65 3d 6d 75 1&profile=mu
0280 6c 74 69 63 61 73 74 49 43 43 26 61 6d 70 3b 66 lticastICC&f
0290 6f 72 63 65 44 65 74 75 6e 65 3d 74 72 75 65 26 orceDetune=true&
02a0 61 6d 70 3b 61 67 65 3d 2d 31 26 61 6d 70 3b 73 amp;age=-1&s
02b0 6b 69 70 3d 30 27 20 73 74 3d 27 30 78 30 27 20 kip=0' st='0x0'
02c0 65 74 3d 27 30 78 46 46 46 46 46 46 46 46 46 46 et='0xFFFFFFFFFF
02d0 46 46 46 46 46 46 27 20 70 6f 73 74 70 61 64 3d FFFFFF' postpad=
02e0 27 30 27 20 72 61 74 65 3d 27 33 35 33 37 30 30 '0' rate='353700
02f0 39 27 20 70 72 69 3d 27 31 27 2f 3e 3c 72 65 63 9' pri='1'/><rec
0300 6f 72 64 76 65 72 20 76 65 72 3d 27 31 27 20 76 ordver ver='1' v
0310 65 72 69 64 3d 27 30 27 20 73 69 7a 65 3d 27 31 erid='0' size='1
0320 33 37 34 33 38 39 35 33 34 37 32 27 20 66 72 65 37438953472' fre
0330 65 3d 27 31 33 36 38 33 34 39 37 33 36 39 36 27 e='136834973696'
0340 20 2f 3e 3c 78 2f 3e 3c 74 75 6e 65 20 73 72 63 /><x/><tune src
0350 3d 27 75 64 70 3a 2f 2f 32 33 39 2e 33 35 2e 32 ='udp://239.35.2
0360 30 2e 34 33 3a 31 30 30 30 30 3a 37 39 62 30 32 0.43:10000:79b02
0370 32 39 33 2d 39 33 64 66 2d 34 36 66 31 2d 39 37 293-93df-46f1-97
0380 36 64 2d 63 36 35 31 63 35 37 38 66 65 64 37 27 6d-c651c578fed7'
0390 20 70 69 70 65 3d 27 46 55 4c 4c 53 43 52 45 45 pipe='FULLSCREE
03a0 4e 27 20 63 74 3d 27 30 78 64 36 36 32 38 65 63 N' ct='0xd6628ec
03b0 64 63 34 38 33 33 65 30 64 27 20 70 69 6c 3d 27 dc4833e0d' pil='
03c0 30 78 30 27 20 72 61 74 65 3d 27 30 78 33 35 66 0x0' rate='0x35f
03d0 38 37 31 27 20 73 74 6f 70 70 65 64 3d 27 66 61 871' stopped='fa
03e0 6c 73 65 27 2f 3e 3c 74 75 6e 65 20 73 72 63 3d lse'/><tune src=
03f0 27 75 64 70 3a 2f 2f 32 33 39 2e 33 35 2e 32 30 'udp://239.35.20
0400 2e 34 33 3a 31 30 30 30 30 3a 37 39 62 30 32 32 .43:10000:79b022
0410 39 33 2d 39 33 64 66 2d 34 36 66 31 2d 39 37 36 93-93df-46f1-976
0420 64 2d 63 36 35 31 63 35 37 38 66 65 64 37 27 20 d-c651c578fed7'
0430 72 61 74 65 3d 27 30 78 33 35 66 38 37 31 27 20 rate='0x35f871'
0440 70 69 6c 3d 27 30 78 30 27 2f 3e 3c 72 65 63 6f pil='0x0'/><reco
0450 72 64 20 75 72 6c 3d 27 68 74 74 70 3a 2f 2f 31 rd url='http://1
0460 39 32 2e 31 36 38 2e 32 2e 31 30 37 3a 38 30 38 92.168.2.107:808
0470 30 2f 64 76 72 66 73 2f 76 31 37 27 20 73 72 63 0/dvrfs/v17' src
0480 3d 27 75 64 70 3a 2f 2f 32 33 39 2e 33 35 2e 32 ='udp://239.35.2
0490 30 2e 34 33 3a 31 30 30 30 30 3a 37 39 62 30 32 0.43:10000:79b02
04a0 32 39 33 2d 39 33 64 66 2d 34 36 66 31 2d 39 37 293-93df-46f1-97
04b0 36 64 2d 63 36 35 31 63 35 37 38 66 65 64 37 27 6d-c651c578fed7'
04c0 20 70 72 69 3d 27 31 27 20 73 74 3d 27 30 78 64 pri='1' st='0xd
04d0 36 36 32 38 38 65 61 38 38 34 61 31 33 34 65 27 66288ea884a134e'
04e0 20 65 74 3d 27 30 78 64 36 36 32 38 65 63 65 64 et='0xd6628eced
04f0 33 30 66 34 61 38 31 27 20 73 74 6f 70 70 65 64 30f4a81' stopped
0500 3d 27 66 61 6c 73 65 27 2f 3e 3c 2f 61 63 74 69 ='false'/></acti
0510 76 69 74 69 65 73 3e 3c 2f 6e 6f 64 65 3e vities></node>
Ok, it is much easier to proceed having all those details available.
What you actually see is Simple Service Discovery Protocol (SSDP) message. (Wikipedia)
brvread is an old name, came from IANA and used by Wireshark.
This port is also associated with AckCmd trojan. Interesting fact:
The interesting feature about this backdoor is that it only uses ACK
packets. This means that a standard connection is not established;
rather, data will be transmitted directly using ACK packets. This
makes it possible for the Trojan to bypass some firewalls.
So I think the actual explanation is quite trivial: some other service sits on that port and talks SSDP.
I have been use to listen to a radio for quite a long time from WMP. But then they changed their structure and move to FMS server, which stream RTMP. I can only listen from their website. As much as posible I could like to get the RTMP url so that I could fire up my VLC.
http://vov.vn/RadioPlayer.aspx?c=vov3
This is the player, the channel is VOV3.
I try to use wireshark but I couldn't get any URL, host or request URI from it.
Inspect into the stream packets, it's all MP3, and the port is 8080 (http-alt). IP is 123.30.50.46
However there are several interesting packets from the capture:
0080 00 07 5f 72 65 73 75 6c 74 00 3f f0 00 00 00 00 .._resul t.?.....
0090 00 00 03 00 06 66 6d 73 56 65 72 02 00 0e 46 4d .....fms Ver...FM
00a0 53 2f 34 2c 30 2c 33 2c 34 30 31 30 00 0c 63 61 S/4,0,3, 4010..ca
00b0 70 61 62 69 6c 69 74 69 65 73 00 40 6f e0 00 00 pabiliti es.#o...
00c0 00 00 00 00 04 6d 6f 64 65 00 3f f0 00 00 00 00 .....mod e.?.....
00d0 00 00 00 00 09 03 00 05 6c 65 76 65 6c 02 00 06 ........ level...
00e0 73 74 61 74 75 73 00 04 63 6f 64 65 02 00 1d 4e status.. code...N
00f0 65 74 43 6f 6e 6e 65 63 74 69 6f 6e 2e 43 6f 6e etConnec tion.Con
0100 6e 65 63 74 2e 53 75 63 63 65 73 73 00 0b 64 65 nect.Suc cess..de
0110 73 63 72 69 70 74 69 6f 6e 02 00 15 43 6f 6e 6e scriptio n...Conn
0120 65 63 74 69 6f 6e 20 73 75 63 63 65 65 64 65 64 ection s ucceeded
0130 2e 00 0e 6f 62 6a 65 63 74 45 6e 63 6f 64 69 6e ...objec tEncodin
0140 67 00 00 00 00 00 00 00 00 00 00 04 64 61 74 61 g....... ....data
0150 08 00 00 00 00 00 07 76 65 72 73 69 6f 6e 02 00 .......v ersion..
0160 0a 34 2c 30 2c 33 2c 34 30 31 30 00 00 09 00 00 .4,0,3,4 010.....
0070 02 00 08 6f 6e 53 74 61 74 75 73 00 00 00 00 00 ...onSta tus.....
0080 00 00 00 00 05 03 00 05 6c 65 76 65 6c 02 00 06 ........ level...
0090 73 74 61 74 75 73 00 04 63 6f 64 65 02 00 14 4e status.. code...N
00a0 65 74 53 74 72 65 61 6d 2e 50 6c 61 79 2e 52 65 etStream .Play.Re
00b0 73 65 74 00 0b 64 65 73 63 72 69 70 74 69 6f 6e set..des cription
00c0 02 00 1b 50 6c 61 79 69 6e 67 20 61 6e 64 20 72 ...Playi ng and r
00d0 65 73 65 74 74 69 6e 67 20 76 6f 76 33 2e 00 07 esetting vov3...
00e0 64 65 74 61 69 6c 73 02 00 04 76 6f 76 33 00 08 details. ..vov3..
00f0 63 6c 69 65 6e 74 69 64 02 00 08 70 41 41 37 41 clientid ...pAA7A
0050 08 6f 6e 53 74 61 74 75 73 00 00 00 00 00 00 00 .onStatu s.......
0060 00 00 05 03 00 05 6c 65 76 65 6c 02 00 06 73 74 ......le vel...st
0070 61 74 75 73 00 04 63 6f 64 65 02 00 14 4e 65 74 atus..co de...Net
0080 53 74 72 65 61 6d 2e 50 6c 61 79 2e 53 74 61 72 Stream.P lay.Star
0090 74 00 0b 64 65 73 63 72 69 70 74 69 6f 6e 02 00 t..descr iption..
00a0 15 53 74 61 72 74 65 64 20 70 6c 61 79 69 6e 67 .Started playing
00b0 20 76 6f 76 33 2e 00 07 64 65 74 61 69 6c 73 02 vov3... details.
00c0 00 04 76 6f 76 33 00 08 63 6c 69 65 6e 74 69 64 ..vov3.. clientid
00d0 02 00 08 70 41 41 37 41 52 44 41 00 00 09 04 00 ...pAA7A RDA.....
00e0 00 00 00 00 18 12 01 00 00 00 02 00 11 7c 52 74 ........ .....|Rt
00f0 6d 70 53 61 6d 70 6c 65 41 63 63 65 73 73 01 00 mpSample Access..
0100 01 00 04 00 00 00 00 01 44 12 01 00 00 00 02 00 ........ D.......
0110 0a 6f 6e 4d 65 74 61 44 61 74 61 03 00 06 61 75 .onMetaD ata...au
0120 74 68 6f 72 02 00 00 00 09 63 6f 70 79 72 69 67 thor.... .copyrig
0130 68 74 02 00 00 00 0b 64 65 73 63 72 69 70 74 69 ht.....d escripti
0140 6f 6e 02 00 00 00 08 6b 65 79 77 6f 72 64 73 02 on.....k eywords.
0150 00 00 00 06 72 61 74 69 6e 67 02 00 00 00 05 74 ....rati ng.....t
0160 69 74 6c 65 02 00 00 00 0a 70 72 65 73 65 74 6e itle.... .presetn
0170 61 6d 65 02 00 06 43 75 73 74 6f 6d 00 0c 63 72 ame...Cu stom..cr
0180 65 61 74 69 6f 6e 64 61 74 65 02 00 19 54 68 75 eationda te...Thu
0190 20 41 75 67 20 32 35 20 31 38 3a 32 34 3a 31 33 Aug 25 18:24:13
01a0 20 32 30 31 31 0a 00 0b 61 75 64 69 6f 64 65 76 2011... audiodev
01b0 69 63 65 02 00 1f 53 6f 75 6e 64 20 42 6c 61 73 ice...So und Blas
01c0 74 65 72 20 58 2d 46 69 20 58 74 72 65 6d 65 20 ter X-Fi Xtreme
01d0 41 75 64 69 6f 00 0f 61 75 64 69 6f 73 61 6d 70 Audio..a udiosamp
01e0 6c 65 72 61 74 65 00 40 e5 88 80 00 00 00 00 00 lerate.# ........
01f0 0d 61 75 64 69 6f 63 68 61 6e 6e 65 6c 73 00 40 .audioch annels.#
0200 00 00 00 00 00 00 00 00 10 61 75 64 69 6f 69 6e ........ .audioin
0210 70 75 74 76 6f 6c 75 6d 65 00 40 51 40 00 00 00 putvolum e.#Q#...
0220 00 00 00 0c 61 75 64 69 6f 63 6f 64 65 63 69 64 ....audi ocodecid
0230 02 00 04 2e 6d 70 33 00 0d 61 75 64 69 6f 64 61 ....mp3. .audioda
0240 74 61 72 61 74 65 00 40 60 00 00 00 00 00 00 00 tarate.# `.......
Could someone be able to get the URL from this stream?
Just been on a huge mission round the houses with Wireshark and eventually reached a dead end because it never does a DNS lookup for the RTMP stream. Then I realised that it must therefore be hard-coded with an IP address. If you view the source on the page you will find this...
so.addParam('flashvars','&file=vov3.flv&streamer=rtmp://123.30.50.46:8080/live&skin=/Images/modieus.swf&autostart=true');
So I guess the URL would be
rtmp://123.30.50.46:8080/live/vov3.flv
I can't get it to work in my VLC but I think that is a problem with my VLC rather than the URL.
If you need any more info about the the stream or generally want to have a play, check this out.